donnanian | 25 Jul 20:37 2014
Picon

SecRule Multipart Unmatched Boundary error

Hello,

There are times when the SecRule Multipart Unmatched Boundary error is triggered when someone tries to upload images to my site that are pretty big on file size and/or the person is on a slower connection where the upload takes a bit more time. 

Here is an example of what my log reports when this happens:

[Fri Jul 25 13:45:45 2014] [error] [client 96.242.95.24] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/modsecurity.conf"] [line "82"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "editthis.net"] [uri "/collage"] [unique_id "U9KXxUIX7NAAAHkUI <at> UAAAAL"]

What can I do to allow the file(s) to be uploaded without having to disable ModSecurity altogether or any rules? 

Thank you.
 
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

running mod security without collection data SecDataDir

hello there ;-)

i'm running mod security 2.6.7 on an opensuse 13.1 64 bit box

but i'm having problem with mod security not being able to create the 
files for collection data in folder defined in SecDataDir

here's a link to my problem:

https://github.com/SpiderLabs/ModSecurity/issues/688

so ... what impact does it have on mod security, running it without 
being able to create the collection data?

is it safe to run mod security without SecDataDir? or does it have a 
negative impact?

thanks a lot fro your help

greetings
becki

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Muhammad Raheel | 23 Jul 10:41 2014
Picon

I followed an article to install mod_security but having 403 error on submitting request

HI,

I followed an article to install mod_security but having 403 error on submitting request.


Error Log:


[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Rule 7effb5260280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]
[Wed Jul 23 08:40:31 2014] [error] [client 212.215.192.9] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?\\\\2|([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\ ..." at ARGS:description_short_1. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data "p>test"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "jeeblaban.com"] [uri "/admin2550/index.php"] [unique_id "U890-mRKpEUAACf2A6gAAAAB"]


Please advise me.

Best regards,

Muhammad Raheel
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
rewt rewt | 22 Jul 13:38 2014

Disable local file creation with PUT/POST


Dear All,
I am facing a modsecurity feature i want to remove and i don t know how to proceed.
Indeed, i have setup MS as a reverse proxy to protect a web application.

In this web application there is big files upload.

At first file upload was not working and i got errors saying that the SecUploadDir was not defined...

I created the "SecUploadDir /tmp" in modsecurity-general.conf files and i discovered that each uploaded file was created in /tmp, which is not possible in my situation as many users upload big files...

What could i do to avoid the "local" file creation in case of files uploaded through PUT/POST ?

Any help would be much appreciated!

David R





------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Laurens De Vries | 19 Jul 11:12 2014

Bypass all rules on Cookies


I have modsecurity with Core Rule Set running on one of our subdomains. My problem is that other subdomains often set cookies for the whole domain. The cookies are sent to my secured subdomain and trigger ModSecurity.

I used:

RequestHeader Unset Cookie early

to remove the cookies, but i'm still getting 403's on checks on cookies.


I think I could use SecRuleUpdateTargetById to remove the HTTP_COOKIE target, but there are many and I was hoping for a more stable solution.

Is there either a setting, or a rule I can add, to clear/bypass any cookie for all rules of the Core Set.



Laurens
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ithier de LESTRANGE | 17 Jul 11:10 2014

Why the rule MULTIPART_UNMATCHED_BOUNDARY is triggered ?

Greetings all,

I am using Modsecurity in detection only mode. I have the error "Multipart parser detected a possible unmatched boundary." (rule id 200003) but I don't konw why. Before removing the rule for this page, I am trying to understand why this rule is triggered. 
The page contains a multipart form with a lot of parts (> 500) but it seems correct. Here is the error log (I have removed sensitive data like cookies).


--5bcad07f-B--
POST /admin/restore HTTP/1.1
Content-Length: 60604
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary04I4lhDFrA43DidD
Accept-Encoding: gzip,deflate,sdch
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4

--5bcad07f-C--
------WebKitFormBoundary04I4lhDFrA43DidD
Content-Disposition: form-data; name="action"

details
------WebKitFormBoundary04I4lhDFrA43DidD
Content-Disposition: form-data; name="lst_config"

----------
------WebKitFormBoundary04I4lhDFrA43DidD
Content-Disposition: form-data; name="pattern"

*
------WebKitFormBoundary04I4lhDFrA43DidD
Content-Disposition: form-data; name="structure/#pattern#"

4

... 565 more like this ...

------WebKitFormBoundary04I4lhDFrA43DidD
Content-Disposition: form-data; name="datas/zsyslucene"

2
------WebKitFormBoundary04I4lhDFrA43DidD
Content-Disposition: form-data; name="files/zsyslucene"

2
------WebKitFormBoundary04I4lhDFrA43DidD--

--5bcad07f-F--
HTTP/1.1 302 Déplacé Temporairement
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

--5bcad07f-E--

--5bcad07f-H--
Message: Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/modsecurity.conf"] [line "80"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."]
Message: Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "219"] [id "960915"] [rev "1"] [msg "Multipart parser detected a possible unmatched boundary."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=0, XSS=0): Multipart parser detected a possible unmatched boundary."]
Apache-Handler: jakarta-servlet
Stopwatch: 1405507685199400 1594913 (- - -)
Stopwatch2: 1405507685199400 1594913; combined=554646, p1=351, p2=554108, p3=3, p4=76, p5=108, sr=53, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.7
Engine-Mode: "DETECTION_ONLY"

--5bcad07f-J--
Total,0

--5bcad07f-Z--


To me the form seems correct. I have activated the debug log but I didn't find anything usefull. I can give you some part if needed (the whole file, juste for this page is > 120 MB !)
Any idea why this rule is triggered.

Thanks
Ithier

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ronald.Ploeger | 16 Jul 17:52 2014
Picon

How to enable JSON support during compilation.

Hi,

 

we  are compiling Modsecurity ourself on Linux.

 

From this post http://article.gmane.org/gmane.comp.apache.mod-security.user/11442 I understand that one has to enabled JSON support (yajl) during compilation. How do I do this?

 

 

Thanks and best regards,

Ronald

 

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Ryan Barnett | 14 Jul 15:00 2014

Seeking ModSecurity Experts to join SpiderLabs Research Team

My team in Trustwave SpiderLabs Research (Web Server Security Team), is looking to add another ModSecurity expert/consultant to the team.  Our professional services business is exploding and we need help.  If you are a ModSecurity expert and want to join SpiderLabs, please read more about the position and apply here:

Ryan Barnett

Senior Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Nerijus Baliunas | 13 Jul 21:01 2014
Picon
Picon

disable mod_security for Location

Hello,

CentOS 6.5, mod_security-2.7.3-3.el6.x86_64 and mod_security_crs-2.2.6-3.el6.noarch
packages installed. I would like to disable mod_security for OCS-NG (Location /ocsinventory).

/etc/httpd/modsecurity.d/activated_rules/modsecurity_localrules.conf:

<Location /ocsinventory>
<IfModule mod_security2.c>
 SecRuleEngine Off
 SecRuleInheritance Off
</IfModule>
</Location>

/etc/httpd/conf.d/ocsinventory-server.conf:

  <Location /ocsinventory>
        order deny,allow
        allow from all
        Satisfy Any
        SecRuleEngine Off
        SecRuleInheritance Off
        SetHandler perl-script
        PerlHandler Apache::Ocsinventory
  </Location>

But still in the apache logs:
[error] [client 10.10.10.2] ModSecurity: Access denied with
code 403 (phase 1). Match of "rx ^% {tx.allowed_request_content_type}$"
against "TX:0" required. [file /etc/httpd/modsecurity.d/activated_rules/
modsecurity_crs_30_http_policy.conf"]
...
 [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "example.com"]
 [uri "/ocsinventory"] 

Thanks,
Nerijus

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

rewt rewt | 10 Jul 13:57 2014

Capture GEO data in SecRule

Dear All,
Im trying to log failed and success attempts on a portal.

I m agetting the environment variable through capture + setenv, and i use them in a shell script called with exec:""

The idea is to log something like:

DATE - REMOTE_ADDR - username - REQUEST_URI --> this works perfectly!

I wanted to add information about GEO location

SecRule REQUEST_FILENAME " <at> contains security_check" "chain,phase:3,t:none,id:'999004',pass,log,auditlog,msg:'Failed Authentication Attempt.',logdata:'Username - %{args.username} - %{REMOTE_ADDR}',setenv:AUTH_NAME=%{args.username},setenv:AUTH_RESULT='Failed', exec:'/usr/local/bin/logusers.sh'"
 SecRule REQUEST_METHOD " <at> streq POST" "chain,t:none"
   SecRule RESPONSE_STATUS " <at> streq 401" "chain,t:none"
        SecRule GEO:COUNTRY_CODE "^(.*)$" "chain,t:none,nolog,noauditlog,capture,setenv:GEOCOUNTRY=%{TX.0}"
         SecRule GEO:CITY "^(.*)$" "chain,t:none,nolog,noauditlog,capture,setenv:GEOCITY=%{TX.0}"
               SecRule ARGS:username ".*" "chain,t:none,nolog,noauditlog,capture,setuid:%{TX.0}"

My script /usr/local/bin/logusers.sh

#!/bin/bash
OUTPUT=/tmp/logfail
echo "$(date "+%Y-%m-%d %H:%M:%S"),${AUTH_RESULT},${REMOTE_ADDR},${GEOCOUNTRY},${GEOCITY},${AUTH_NAME},${REQUEST_URI}" >> $OUTPUT
set >> $OUTPUT
echo "0"

The set command output does not contains the GEOCOUNTRY and GEOCITIY variables :(
My GEOCOUNTRY and GEOCITY variables are not created...

For the GEO config i have this for the collection in modsecurity.conf:
SecGeoLookupDb /etc/httpd/GeoIP.dat
SecRule REMOTE_ADDR " <at> geoLookup" "chain,id:22,deny,msg:'IP address not allowed'"
SecRule GEO:COUNTRY_CODE "! <at> pm CH FR DE"

Any help would be appreciated!


Kind regards,

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Jeff Jacob | 9 Jul 22:36 2014
Picon

2.8.0 modifying requests on iis in detection only

I've installed ModSecurity IIS 2.8.0 and have SecRuleEngine DetectionOnly

 

My modsecurity_iis.conf looks like:

Include modsecurity.conf

#Include modsecurity_crs_10_setup.conf

#Include owasp_crs\base_rules\*.conf

#Include Nanaimo_whiteList.conf

 

But it's still doing something to my requests.

I'm submitting a request form an ms ajax update pannel that ms magic should respond to with something like

1|#||4|15978|updatePanel|ContentPlaceHolder1_objUpdate|

            <div>

But I'm getting raw HTML

 

If I comment the first line (Include modsecurity.conf) my app works as expected.

 

I noticed that when it works it also returns text/plain not text/html

 

Is it possible modsecurity could be modifying the request at all with the base rules in DetectionOnly mode?

 

--

Jeff Jacob

Applications Analyst

Information Technology

City of Nanaimo

 

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane